In somewhat unclear statement issued a week ago, Visa acknowledged that a U.S. merchant "may have experienced a data security breach" that compromised credit card account information.

An investigation by CNET has been able to get an even unclear response by Visa,

..[N]o other information was
available at this time, including the name of the merchant, the number
of accounts involved or when the event occurred.

Is this a major security breach or just a small vendor-related incident? Usually, in similar circumstances, the name of the affected vendor quickly surfaces, but in this case the name of the vendor and the number of affected customers are unclear. According to California law, a vendor has to notify its California customers for breaches in the security of their data. The fact that there has not been a major announcement in California, at least, may indicate that the incident is still under investigation and disclosure may not be feasible.

[Via News.com]

Not a landmark case by any means, but the BBC reports on a EU spam case settlement brought by an Internet businessman against a Media Logistics, a UK-based firm for sending unsolicited bulk E-mail. The case was brought under anti-spam EU law, the directive on privacy and telecommunications, which gave individuals the right to fight the growing tide of unwanted e-mail by allowing them to claim damages.

Mr. Roberts, the plaintiff, received unwanted email ads from Media Logistics and filed an action against the company. The company did not defend the case and the judge issued a default judgment for Roberts. In a subsequent settlement, Media Logistics agreed to pay £300 (270 + 30 filing fee) to Robers and settle the dispute out of court.

Although a tiny victory with no precedent value in UK courts, this shows that EU spam laws have some teeth. "Some" teeth, because it is not clear how the court would have decided the case had Media Logistics appeared in court and defended on the merits.

What a great way to start the new year - a zero day vulnerability in WMF format. And while many of us are enjoying time away from the desks, adware/spyware/phishers are not wasting time and building on the vulnerability.

Websense’s Security Labs alert has a great writeup on how adware vendors are using this vulnerability to install spyware on Windows computers.

Currently the Exfol and Freecat.biz websites are distributing exploit
files that are utilizing the WMF vulnerability, which allows the
un-authorized running of applications. The files are Trojan
Downloader’s which download and run files from the freecat.biz website
and are named: pawn001.exe through pawn009.exe. Upon viewing any of the
MWF files the end-users machines downloads and runs one of the
aforementioned files. The files themselves are designed to install
several pieces of Potentially Unwanted Software. In several cases these
report that your machine has been infected with Spyware and that you
may have security problems on your machine. You are then prompted to
purchase software from one of the affiliates in order to clean your
machine. At this time the current prices we saw was $29 per quarter
year.

It is interesting that the company peddling this software is registered in the Vanuatu (in South Pacific) and the sites are (as of the time of this posting) hosted in South America. Of course, it is possible for a legitimate business to be registered in the Vanuatu and host ouf of South America, but somehow this arrangement has a bad odor.

[Via ZDNet -]